Android Was 2016's Most Vulnerable Product

With 2016 officially over, we can crown Android as 2016's product with most vulnerabilities, and Oracle as the vendor with the most security bugs.

This statistic is based on the number of vulnerabilities reported by security researchers in the past year, bugs which have received a CVE identifier.

Android is 2016's most vulnerable product

According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award."

Second place in this ranking went to Debian Linux with 319 vulnerabilities, while third place went to Ubuntu Linux with 278 CVEs.

2015's winner, Mac OS X came only eleventh this year, with 215 security bugs, compared to last year, when researchers found 444 bugs in Apple's main OS.

Past winners of this "prestigious award" include:

Apple Mac OS X in 2015 (444 bugs)

Internet Explorer in 2014 (243 bugs)

The Linux Kernel in 2013 (189 bugs)

Google Chrome in 2012 (249 bugs)

Google Chrome in 2011 (266 bugs)

Google Chrome in 2010 (152 bugs)

Mozilla Firefox in 2009 (126 bugs)

Mozilla Firefox tied with Apple OS X in 2008 (96 bugs)

PHP in 2007 (114 bugs)

Apple OS X in 2006 (106 bugs)

Linux Kernel in 2005 (133 bugs)

Internet Explorer in 2004 (59 bugs)

Solaris OS in 2003 (44 bugs)

Internet Explorer in 2002 (54 bugs)

RedHat Linux in 2001 (47 bugs)

RedHat Linux again in 2000 (47 bugs)

Windows NT in 1999 (64 bugs)

Oracle is 2016's vendor with most security bugs

When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs.

Most of these security bugs have been reported in Oracle products such as MySQL, Solaris, and its custom Linux OS version.

Second to Oracle was Google, with 698 security bugs, with the most being reported in products such as Android and Chrome. Third was Adobe with 548 bugs, with the vast majority of bugs reported in Flash Player and different Reader/Acrobat variants.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.

Agreed John. Android's unintentional problem of being in the disposable cell phone industry is killing them, I think. I don't mean go phones, I mean the tendency for phones to be made with the idea you will need to buy a new one every 2 years. I hope the Google Pixel is the first attempt to break that behavior, make a phone that actually lasts, less of an open system and more of a closed one.

Until further detailed, I think that this study has to be taken with a grain of salt. There are lots of sub-systems having vulnerabilities, and are part of all these OS. It would be interesting to have stats of problems on common sub-system codes and problems only found in a specific OS code. Can third-party code really be trusted?

The number of CVEs alone is not a very useful metric, as it doesn't take into account the severity of the bugs, the size of the project, how many potential bugs remain, how much time and effort was spent on finding bugs or if it's possible to look at the source code.

I'm curious how this data is compiled. Apple, for instance, is listed as having a total of 324 vulnerabilities... but there are only two Apple products listed above, and they total to more than that: OS X -&gt; 215, iOS -&gt; 161.

Is this really implying that there's enough shared codebase between those two OSes that they share 52 vulnerabilities? Nearly a quarter of OS X vulnerabilities and a third of iOS?